Overview
Centralized Network Inspection on AWS configures the AWS resources needed to filter network traffic. This solution saves you time by automating the process of provisioning a centralized AWS Network Firewall to inspect traffic between your Amazon Virtual Private Clouds (Amazon VPCs).
Benefits
This solution allows you to modify rule groups and firewall policies in the configuration package in the Amazon S3 bucket. This automatically invokes the AWS CodePipeline to run validation and deployment.
With this solution, you can inspect hundreds or thousands of Amazon VPCs and accounts in one place. You can also centrally configure and manage your AWS Network Firewall, firewall policies, and rule groups.
This solution helps you collaborate and manage the changes to the AWS Network Firewall configuration by using GitOps workflow.
Technical details
You can automatically deploy this architecture using the implementation guide and the accompanying AWS CloudFormation template.
Step 1
The AWS CloudFormation template deploys an inspection virtual private cloud (VPC) with four subnets in randomly-selected Availability Zones within the Region where the solution is deployed.
Step 1a
The solution uses two of the subnets to create AWS Transit Gateway attachments for your VPCs if you provide an existing transit gateway ID.
Step 1b
The solution uses the other two subnets to create AWS Network Firewall endpoints in two randomly-selected Availability Zones within the Region where the solution is deployed.
Step 2
The CloudFormation template creates an Amazon Simple Storage Service (Amazon S3) bucket with a default network firewall configuration that allows all traffic. This initiates AWS CodePipeline to run the following stages:
Step 2a
Validation stage: The solution validates the Network Firewall configuration by using Network Firewall (APIs with dry run mode enabled. This allows you to find unexpected issues before attempting an actual change. This stage also checks whether all the referenced files in the configuration exist in the JSON file structure.
Step 2b
Deployment stage: The solution creates a new firewall, firewall policy, and rule groups. If any of the resources already exist, the solution updates the resources. This stage also helps with detecting any changes and remediates by applying the latest configuration from the S3 bucket.
The rule group changes roll back to the original state if one of the rule group changes fails. The appliance mode activates for the attachment from Transit Gateway to Amazon Virtual Prviate Cloud (Amazon VPC) to avoid asymmetric traffic. For more information, refer to Appliance in a shared services VPC.
Step 3
The solution creates Amazon VPC route tables for each Availability Zone. The default route destination target for each is the Amazon VPC endpoint for Network Firewall.
Step 4
The solution creates a shared route table with firewall subnets. The default route destination target is the transit gateway ID. This route is only created if the transit gateway ID is provided in the CloudFormation input parameters.
Step 1
The AWS CloudFormation template deploys an inspection virtual private cloud (VPC) with four subnets in randomly-selected Availability Zones within the Region where the solution is deployed.
Step 1a
The solution uses two of the subnets to create AWS Transit Gateway attachments for your VPCs if you provide an existing transit gateway ID.
Step 1b
The solution uses the other two subnets to create AWS Network Firewall endpoints in two randomly-selected Availability Zones within the Region where the solution is deployed.
Step 2
The CloudFormation template creates an Amazon Simple Storage Service (Amazon S3) bucket with a default network firewall configuration that allows all traffic. This initiates AWS CodePipeline to run the following stages:
Step 2a
Validation stage: The solution validates the Network Firewall configuration by using Network Firewall (APIs with dry run mode enabled. This allows you to find unexpected issues before attempting an actual change. This stage also checks whether all the referenced files in the configuration exist in the JSON file structure.
Step 2b
Deployment stage: The solution creates a new firewall, firewall policy, and rule groups. If any of the resources already exist, the solution updates the resources. This stage also helps with detecting any changes and remediates by applying the latest configuration from the S3 bucket.
The rule group changes roll back to the original state if one of the rule group changes fails. The appliance mode activates for the attachment from Transit Gateway to Amazon Virtual Prviate Cloud (Amazon VPC) to avoid asymmetric traffic. For more information, refer to Appliance in a shared services VPC.
Step 3
The solution creates Amazon VPC route tables for each Availability Zone. The default route destination target for each is the Amazon VPC endpoint for Network Firewall.
Step 4
The solution creates a shared route table with firewall subnets. The default route destination target is the transit gateway ID. This route is only created if the transit gateway ID is provided in the CloudFormation input parameters.
- Publish Date